Security Researchers Aim to Foil Vandals

FEATURED:Tom Perrine, Andrew Gross, and Tsutomu Shimomura, SDSC

Two or three
years ago, the worst things that most desktop computer users
worried about were virus attacks from trading disks with other users. But
as people and businesses across the country connect to the Internet, a
flurry of magazine and newspaper stories about computer break-ins have
painted an alarming picture, and many users are asking, "Is my computer at
risk?" In two concerted efforts to foil computer vandals, SDSC researchers
are working to make cyberspace a safer place.

"If you use a commercial service to log onto the Internet or surf the
World Wide Web, your personal system is safe from computer vandals," said
Tom Perrine, program administrator for the new Pacific Institute of
Computer Security (PICS) at SDSC. "But any computer system that's directly
connected to the Internet--yours, your employer's, your school's, or your
Internet Service Provider's--can be attacked by outsiders. If the system
administrator hasn't taken precautions, vandals may be able to break in
and steal, alter, or delete information."

The result of a $425,000 grant from the Institute for Defense Analyses in
late 1995 (see the Oct.-Dec. 1995 Gather/Scatter), PICS will develop tools
and countermeasures to prevent computer intrusions, analyze attacks as
they happen, and audit security measures. As these tools are refined, they
will be distributed free of charge to the managers of networked computer
installations.

NEIGHBORHOOD WATCH FOR THE INTERNET

In a related effort, SDSC has helped found the San Diego Regional Info
Watch. The first regional "neighborhood watch" group in cyberspace, the
Info Watch is a cooperative endeavor of SDSC; the Naval Command, Control
and Ocean Surveillance Center; the University of California, San Diego;
several local high-tech corporations; and the City of San Diego.

The national Computer Emergency Response Team (CERT), based at Carnegie
Mellon University, disseminates technical information about security
breaches. The Info Watch group does this for the region and promotes
personal contacts between system administrators, spreads warnings of
intrusion attempts, and maintains a database of names and emergency phone
numbers. (Urgent break-in alerts are sent by telephone, since it isn't a
good idea to inform an administrator by e-mail that intruders are reading
information in the system.)

"Computers can be made much more secure if administrators fix known bugs
in the operating system and warn users to be careful with their
passwords," Perrine said. "Unfortunately, many administrators aren't aware
of the problems and need to be educated. Some organizations don't spend
much time or effort on precautions because security isn't a 'profit
center.' They don't realize the cost of lax security until it's too late."

More than 9.4 million Internet host computers were registered as of
January 1996, according to Network Wizards, producers of the twice-yearly
Internet Domain Survey; each of these gives Net access to at least one
user. PICS experts estimate that commercial services such as America
On-Line and organizations with security firewalls give indirect Net access
to approximately 20 million more users. (Claims by commercial services are
notoriously imprecise.) The number of Internet hosts is constantly rising
(Figure 1).

Figure 1: Growth of the Internet

The number of registered host computers on the Internet had grown to
nearly 10 million by January 1996; most of these were added within the
last year. Estimates of the number of individual users, including those on
machines indirectly tied to the Internet, are approximately three times
higher.

Of these tens of millions of users, fewer than 10,000 are both malicious
and skillful enough to be dangerous, estimated SDSC's Andrew Gross, lead
researcher on the PICS program. Some computer hijackers on the information
superhighway don't intend to do lasting harm. They're just joyriders, who
want to gain entry just for the thrill. Only a few want to steal credit
card numbers and commercial software, destroy or alter records, or access
sensitive information, Gross said. But this tiny minority can cause
widespread damage because, unlike car thieves, they can strike dozens or
even thousands of times, anywhere in the nation, and many of their victims
never realize they've been attacked.

Most large commercial, educational, and government computer sites on the
Internet--SDSC included--are probed once or twice a day by would-be
intruders, according to Perrine. Most of these attempts don't get very
far. However, as the on-line population grows, experienced vandals are
sharing information with "wannabes" and giving them recipes for taking
advantage of security holes.

RECIPES FOR AVERTING DISASTER

"The most sophisticated intrusion methods either exploit subtle flaws in
the work software infrastructure that can't be corrected easily or else
take advantage of operating system bugs as soon as they're discovered,
before system administrators have a chance to fix them," Gross said.

PICS tools will let administrators monitor and log activity on their
systems. As a side benefit, they will help diagnose system setup problems
and detect malfunctioning hardware. For the hopefully rare cases in which
vandals do penetrate the computer's defenses, PICS also will distribute
"post-mortem" forensic utilities to determine after the fact how an
intruder broke in, what computing resources or data were affected, and how
to recover from the incident.

"The tools we're developing will install a set of advanced security
procedures painlessly," Gross said. "These programs have to be easy to
install and use, otherwise some people just won't accept them." Gross has
set up an "isolation ward" testbed, a system that includes several types
of host computers and networks, on which PICS will develop its network
analysis and post-mortem tools. Since the researchers will try to
penetrate and corrupt this testbed deliberately, it is not connected to
other networked computers at SDSC.

Meanwhile, SDSC security expert and PICS team member Tsutomu Shimomura
maintains another computer system that serves as a lure to would-be
vandals; it contains expendable files that appear to be useful programs,
recipes, and system specifications. Shimomura has become a popular hacker
target since he helped capture computer
vandal Kevin Mitnick (see the
Jan.-Mar. 1995 Gather/ Scatter). Although this system has a fair amount of
security in place, Shimomura deliberately left it vulnerable to some
standard attack methods, and it already has been penetrated. One set of
intruders apparently used simple-minded recipes to break in, copy
documents, and delete files. What the vandals didn't know was that their
actions were being monitored and logged as a test of the PICS intrusion
detection software (Figure 2).

Figure 2: What's a Frong?

This electronic exchange was captured by SDSC's Tsutomu Shimomura on
machines he set up to monitor unsuspecting hackers. The racial slurs
peppered throughout have been obscured. Beyond their lack of social
graces, the hackers showed their lack of prowess by never realizing they
had fallen for Shimomura's "bait"--hook, line, and sinker. Shimomura's
bait machines, isolated from SDSC's main network, will help test software
to recognize intrusions.

"What's interesting about these people is that they were the first
intruders who were so unskilled and dependent on their recipes that they
didn't even realize it was a bait machine," Shimomura said. "It used to be
that only a few technically proficient people had the resources to be
vandals, but widespread distribution of security-cracking recipes has
changed that. We need to give system administrators better tools than the
burglars have." --MG